How to set up a BinaryPig Single-Node Cluster Part 2

As everything is installed right now, we’re now going to run some jobs with BinaryPig. I’m using the VirusShare_APT1_293.zip package for testing purposes. You can download different packages of malware on Virusshare. BinaryPig already comes with a couple of example jobs which can be found at:

The script which is running all the examples is located at:

We will only test the strings.pig job because it’s the easiest one and if this one works, everyone else will also work ;-). First of all we need to copy all our binary / malware files into /tmp/data

We have to change the run_example.sh script the little bit:

This will take a while but when it’s completed you should see all the strings within each malware file dumped to the screen. I’m not using ElasticSearch here at the moment because there is no need to but it should be not problem to connect it to BinaryPig.

 

Posted in Malware Analysis | Tagged , | Comments Off on How to set up a BinaryPig Single-Node Cluster Part 2

How to set up a BinaryPig Single-Node Cluster Part 1

BinaryPig is a framwork for processing huge amounts of binary data. It’s built on Hadoop / Apache Pig and Elasticsearch and was presented on Blackhat USA 2013. For more details, see the slides here or the full presentation here. Unfortunately the project is pretty much dead (maybe it’s because two of the developers moved to a new company but who knows ;-)). In this post, I’ll describe how to set up a Single-Node BinaryPig cluster on your own VM. The guys from Endgame Inc. also provided a sample vagrant installation but it’s not working very well and it’s outdated. Maybe I’ll just fork the project and continue the development but let’s see.

We’ll start with a finished standard installation of Ubuntu Server 14.04.3 LTS.

Configure your ssh server for public key authentication only.

Restart the ssh server and keep going.

Download hadoop-1.2.1 from a mirror of your choice.

Set JAVA_HOME in hadoop-env.sh.

Create your hadoop temp dir.

Edit core-site.xml.

Configure the following:

Edit mapred-site.xml.

Configure the following:

Edit hdfs-site.xml

Configure the following:

Format the namenode.

Start hadoop.

Check if hadoop is running.

Hadoop is now installed. Now we’re going to install Apache Pig 0.12.1.

Build pig:

Now you should be able to get into the pig shell:

 

Configure PIG_HOME and PIG_CLASSPATH (not sure if you really need this but it cannot harm..)

 

Install BinaryPig:

After the build is completed there should two .jar files at:

 

Everything should now be in place for starting the first jobs. This will be described in another blog post.

 

Posted in Malware Analysis | Tagged , , | Comments Off on How to set up a BinaryPig Single-Node Cluster Part 1

Flare-On 2015 #2

Here we go again with my solution for challenge 2.

Again there is a little bit of XOR’ing and a little bit of bit-shifting. The function which is checking the password starts at address 401084 (see the screenshot). The loop starting at 4010A2 is performing some bit operations on each character of your input and comparing the result against a hard-coded key beginning at the address stored in EDI (see the OllyDbg screenshot). The reversing was quite easy (see the python script) and the email  is a_Little_b1t_harder_plez@flare-on.com.

loop olly

 

 

 

See you tomorrow for solution #3 ;-).

Posted in Reverse Engineering | Tagged , | Comments Off on Flare-On 2015 #2

Flare-On 2015 #1

Here we go again for the annual Fireeye Flare-On challenge. Unfortunately it started during my summer holidays so I did not have enough time to complete the whole challenge (I guess, I’m also not skilled enough but anyways..). Although the solutions are already published by Fireeye (see here), I’ll still write down my solutions just to remember what I did and maybe someone used the same approach or had the same problems like me.

The interesting part starts at 40104d where you can find a simple loop which is XOR’ing  each byte of your input with 0x7d and comparing the result to the specific byte in byte_402140 (see the screenshots)

loop

 

key

Here is a simple python script which solves this for you.

 

Result -> bunny_sl0pe@flare-on.com

See you tomorrow for the solution for #2.

Posted in Uncategorized | Tagged , | 1 Comment